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application: 

1. (Original) A method comprising: 

providing a host computer system having at least one network interface interfaced with a 

computer network; 
operating the host computer system in a multi-user mode; 
detecting an intrusion event using a system daemon; and 

in response to detecting the intrusion event, isolating the at least one network interface 

from the computer network and taking the host computer system down to a single 
user state so that access to the host computer system is limited to physical access 
at the host computer system. 



2. (Canceled). 

3- (Original) The method of claim 1 wherein said isolating the at least one network 
interface from the computer network comprises issuing an IFCONFIG down command to the at 
least one network interface. 

4. (Original) The method of claim 1 wherein said taking the host computer system 
down to the single user state comprises issuing an INIT1 command to an operating system of the 
host computer system. 

5. (Original) The method of claim 1 further comprising: 

reading, by the system daemon, a configuration file that indicates at least one file in a file 
system of the host computer system to be monitored for intrusion} 
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6* (Original) The method of claim 5 wherein the configuration file comprises a first 
directive type that indicates a directory whose members are to be monitored for intrusion, a 
second directive type that indicates a file to be monitored for intrusion, and a third directive type 
that indicates another configuration file to be monitored for intrusion. 

7. (Original) The method of claim 1 further comprising: 

computing a data verification signature for a monitored file in a file system of the host 

computer system; and 
comparing the data verification signature to a valid data verification signature for the 

monitored file; 

wherein said detecting the intrusion event comprises detecting that the data verification 
signature differs from the valid data verification signature. 

8. (Original) The method of claim 7 wherein the valid data verification signature 
comprises a Message Digest 5 (MD5) signature > 

9. (Original) The method of claim 7 further comprising: 

reading the valid data verification signature for the monitored file from a database that is 
located on a second computer system isolated physically and programmatically 
from the host computer system. 

10. (Original) The method of claim 9 further comprising: 

writing a log of the intrusion event to a log database that is not located on the host 
computer system or second computer system. 

1 1 . (Original) The method of claim 1 wherein said detecting the intrusion event 
comprises detecting an incorrect permission associated with a file in a file system of the host 
computer system. 
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12. (Original) The method of claim 1 wherein said detecting the intrusion event 
comprises detecting an incorrect ownership associated with a file in a file system of the host 
computer system. 

13. (Original) The method of claim 1 wherein said detecting the intrusion event 
comprises detecting that a file no longer exists in a file system of the host computer system. 

14. (Currently Amended) A method comprising: 

providing a host computer system having at least one network interface interfaced with a 
computer network; 

operating the host computer system in a multi-user mode; 

executing a JTRJP system daemon on the host computer system; 

reading, by the JTRDP system daemon, a configuration file that indicates at least one file 
in a file system of the host computer system to be monitored for intrusion, 
wherein the configuration file comprises a first directive type that indicates a 
directory whose members are to be monitored for intrusion, a second directive 
type that indicates a file to be monitored for intrusion, and a third directive type 
that indicates another configuration file to be monitored for intrusion; 

reading a valid MD5 signature for a monitored file from a database that is located on a 
second computer system isolated physically and programmatically from the host 
computer system; 

detecting an intrusion event using the JTPJP system daemon by detecting that an MD5 

signature of the monitored file differs from the valid MD5 signature; and 
in response to detecting the intrusion event: 

issuing an IFCONFIG down command to the at least one network interface to isolate the 
at least one network interface from the computer network; 

issuing an INIT1 command to an operating system of the host computer system to take 
the host computer system down to a single user state; and 

writing a log of the intrusion event to a log database that is not located on the second 
computer system. 
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15. (Original) A system comprising: 

a host computer system having at least one network interface interfaced with a computer 

network, the host computer system to : 
operate in a multi-user mode; 
detect an intrusion event using a system daemon; and 

in response to detecting the intrusion event, isolate the at least one network interface from 
the computer network and take the host computer system down to a single user 
state so that access to the host computer system is limited to physical access at the 
host computer system. 

16. (Canceled). 

17. (Original) The system of claim 15 wherein the host computer system is to isolate the 
at least one network interface from the computer network by issuing an IFCONFIG down 
command to the at least one network interface. 

1 8. (Original) The system of claim 15 wherein the host computer system is taken down 
to the single user state by issuing an INIT1 command to an operating system of the host 
computer system. 

1 9. (Original) The system of claim 1 5 wherein the host computer system is further to 
read, by the system daemon, a configuration file that indicates at least one file in a file system of 
the host computer system to be monitored for intrusion. 

20. (Original) The system of claim 19 wherein the configuration file comprises a first 
directive type that indicates a directory whose members are to be monitored for intrusion, a 
second directive type that indicates a file to be monitored for intrusion, and a third directive type 
that indicates another configuration file to be monitored for intrusion- 
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21 . (Original) The system of claim 15 wherein the host computer system is further to: 
compute a data verification signature for a monitored file in a file system of the host 

computer system; and 
compare the data verification signature to a valid data verification signature for the 
monitored file; 

wherein the intrusion event is detected by detecting that the data verification signature 
differs from the valid data verification signature. 

« 

22. (Original) The system of claim 21 wherein the valid data verification signature 
comprises a Message Digest 5 (MD5) signature. 

23. (Original) The system of claim 21 further comprising: 

a second computer system isolated physically and programmatically from the host 
computer system; 

wherein the host computer system is to read the valid data verification signature for the 
monitored file from a database that is located on the second computer system- 

24. (Original) The system of claim 23 further comprising: 

a log database not located on the host computer system or the second computer system; 
wherein the host computer system is further to write a log of the intrusion event to the log 
database. 

25. (Original) The system of claim 1 5 wherein the intrusion event comprises an incorrect 
permission associated with a file in a file system of the host computer system. 

26. (Original) The system of claim 15 wherein the intrusion event comprises an incorrect 
ownership associated with a file in a file system of the host computer system. 

27. (Original) The system of claim 15 wherein the intrusion event comprises a file no 
longer existing in a file system of the host computer system. 
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